Last month, employees at the Colorado Department of Transportation were greeted by a message on their computer screens similar to this:

“All your files are encrypted with RSA-2048 encryption. … It’s not possible to recover your files without private key. … You must send us 0.7 BitCoin for each affected PC or 3 BitCoins to receive ALL Private Keys for ALL affected PC’s.”

Images provided by Webroot

Versions of CryptoLocker ransomware notify computer users that their files have been encrypted and locked. Users are instructed to pay bitcoin to get the files back. But Webroot and other security companies warn that not all ransomware actually returns the files intact so check with security companies who will know the reputation of those hackers. (Images provided by Webroot)

CDOT isn’t paying, but others have. In fact, so-called ransomware has become one of the most lucrative criminal enterprises in the U.S. and internationally, with the FBI estimating total payments are nearing $1 billion. Hackers use ransomware to encrypt computer files, making them unreadable without a secret key, and then demand digital currency like bitcoin if victims want the files back — and many victims are falling for that promise.

To better understand how ransomware works and how it has spread so effectively, The Denver Post talked with Broomfield anti-malware company Webroot, which got its start in the late 1990s cleansing computer viruses from personal computers.

“The end goal is just to put ransomware on the computer because right now the most successful way for cybercriminals to make money is with ransoming your files,” said Tyler Moffitt, a senior threat research analyst at Webroot.

It’s a growing business for cybercriminals. And whether to pay or not is something each user or company must decide.

Last spring, the Erie County Medical Center in New York was attacked by SamSam due to a misconfigured web server, according to The Buffalo News. Because it had backed up its files, the hospital decided not to pay the estimated $44,000 ransom. It took six weeks to get back to normal at a recovery cost of nearly $10 million.

More recently in January, the new SamSam variant sneaked into Indiana hospital Hancock Health, which decided to pay 4 bitcoin, or about $55,000, in ransom. Attackers gained entry by using a vendor’s username and password on a Thursday night. The hospital was back online by Monday morning.

Image provided by Cisco

A variant of the SamSam ransomware has attacked computer systems of hospitals, healthcare systems and government agencies, like Colorado Department of Transportation. Cisco System’s security unit Talos has been tracking SamSam and shared this screen image of the ransomware’s demands. In January, Talos researchers said that the SamSam variant had collected 30.4 bitcoin, or about $325,217.07 in four weeks.

Colorado security officials are still investigating the CDOT ransomware attack that took 2,000 employee computers offline for more than a week. They don’t plan to pay the ransom but offered few details about the attack other than confirming it was a variant of the SamSam ransomware. Security researchers with Cisco’s Talos, which shared the SamSam message with The Denver Post, reported in January that the new SamSam variant had so far collected 30.4 bitcoin, or about $325,217.

Ransomware typically gets on a computer when someone inadvertently downloads the nasty code. It’s not always as blatant as opening an email attachment, though those still exist. One such malware, called NemucodAES, disguised itself as an email from UPS about an undelivered package and instructed recipients to “Please check the attachment for details.” Security software, such as anti-malware from Emsisoft, stopped the ransomware spread because it detected suspicious behavior. Emsisoft also created a decryptor to help users recover files without paying the ransom.

Other times, malware isn’t so obvious. Some propagate when user visits infected websites. A trojan named Poweliks injected bad code into vulnerable programs, like an unpatched Internet Explorer. Poweliks crept into the Windows registry to force the computer to do all sorts of nasty things, from demanding a ransom to joining a click-fraud bot network to click ads without the user even realizing it.

There also are booby-trapped ads, known as malvertising. They get into computers by, again, targeting flawed software and injecting malicious code. This has targeted programs like unpatched Adobe Flash Player, Java or other runtime software, or software that runs online all the time.

Back up files. Store critical ones in a secure place or on different media.

Regularly check for software updates for Windows or other OS as well as other software you use.

Use anti-malware software from a reputable company for an extra layer of protection. Make sure it’s turned on and regularly scanning.

Be wise about clicking links. If it’s a message from your bank or other account, go directly to that site to verify they sent the message.

Don’t fall for social engineering in common phishing messages, such as one from an HR department about your resume, an undelivered package from the post office, or resetting a password.

For businesses, block unwanted applications. Categorize users to give them network access to only files they need.

If your computer is hijacked by ransomware, check with security companies to see if those hackers are returning files safely. Decryption tools may also already be available. Security industry sponsored NoMoreRansom.org helps victims unlock computers.

Don’t provide personal information to hackers or unsolicited callers who could be posing as IT help.

The FBI and many other security companies say don’t pay the ransom because it only encourages hackers.

“Cybercriminals will create fake ad networks or submit legitimate ads for weeks so they can gain a reputation and circulation with ad networks. Once they have the reputation, they make the switch. Instead of pointing you to a legitimate site, they point to a malware page,” Moffitt said. He added: “They exploit vulnerabilities. We’re talking Java, Adobe Flash, Silverlight and all these components that you’re required to have to experience the web with your browser. So, when you see constant updates for Adobe or Java, they’re usually to patch stuff like this. The problem is people say, ‘No, I don’t want to update,’ ‘No, leave me alone.’ What they’re doing is they’re trying to save you from this (malware).”

Webroot’s team digitally takes apart ransomware code to learn more. Eric Klonowski, a senior advanced threat research analyst, demonstrated this by using software to dissemble Locky, ransomware that spread in 2016 because of a feature in Microsoft Office, called a macro, that automates certain functions. Locky tricks users into enabling the macro, which then fetches the last piece of malware and begins encrypting or locking images, videos, Word documents and other files on the computer. On screen, Klonowski finds Locky code that indicates the virus plans to encrypt files.

“Any sort of encryption is indicative of ransomware,” he said.

By studying the code, Klonowski can also get a better sense if the hacker plans to return the files intact if a user pays up.

“As it turns out, I can actually view (within) the ransomware code whether or not you can get your files back,” he said. “If there’s no evidence that there’s software, that can decrypt your files then it could be a scam.”

With a growing number of attacks each year, the security industry has had to rethink how it can stay ahead of attackers to protect customers. Webroot uses a multipronged approach that starts with machine learning to give computers a kind of sixth sense that something new and dangerous is approaching, said David Dufour, Webroot’s vice president of engineering and cybersecurity.

“We can take a piece of malware and pull out thousands of features about that malware or a website and train a model. We feed those features into it and it’ll come back and tell us: ‘Is that a malicious website? Is that a malicious piece of software? Is that a good website that we can let our users go to?’ ” said Dufour, who likened the learning process to humans figuring out if a watermelon is ripe — they thump it, smell it and feel it. “It takes all this information and makes these determinations, millions of times per second.”

That’s faster than a human can do the same job. And that’s how a company like Webroot protects its business customers and home users and stays ahead of nasty software. When new malware attacks a system, Webroot’s software may just “see spikes in unknowns,” which tips off researchers that something is brewing.

The reality is that people need to be smarter about computer security. That means patching software, using anti-malware software, and not sharing passwords and accounts. And not opening files, emails or links from unfamiliar sources — and sometimes familiar sources.

Webroot doesn’t have an official stance on whether to pay a ransom to get files back, but Dufour says it’s a personal decision. Cybersecurity companies like Webroot can advise whether the hacker has a reputation for restoring files after payment is received.

“Paying a ransom to a cybercriminal is an incredibly personal decision. It’s easy to say not to negotiate with criminals when it’s not your family photos or business data that you’ll never see again. Unfortunately, if you want your data back, paying the ransom is often the only option,” Dufour said. “However, it’s important to know that there are some strains of ransomware that have coding and encryption errors. For these cases, even paying the ransom won’t decrypt your data. I recommend checking with a computer security expert before paying any ransom.”